Abstract: An input regarding security characteristics of a project is received. For example, a security characteristic of a project may be insecure storage of data related to confidentiality. The project is scanned for one or more security requirements based on the received security characteristics. A list of security requirements is built for the project based on the received first input. A machine learning process is used to identify addition of one or more security requirements and/or removal of one or more security requirements from the list of security requirements. A first security vulnerability scan is run using the list of security requirements with the one or more additional security requirements and/or the removed one or more security requirements. Results for the first security vulnerability scan are generated and displayed to a user.

Abstract: Testing software applications is routinely limited by time or testing iterations rather than exhaustively testing ever possible permutation of inputs or execution paths. By configuring a testing device to only perform relevant tests, the test results are more meaningful (e.g., few false-positives) and relevant to the application. Additional effects include reduced processing times and storage requirements. As described herein, source code is analyzed to determine elements that indicate a particular environment for the source code's corresponding machine code. When the source code indicates that a particular environment is not a candidate for execution of the machine code, tests associated with that particular environment are excluded. The testing device is then configured to perform those tests, either statically or dynamically, that are relevant for those environments that actually apply.

Abstract: Testing software applications often requires a balancing of thoroughness versus the time and computing resources available to perform such tests. By performing a static analysis on candidate software source code and, from the static analysis, configuring a dynamic analysis component to execute the tests, allows for extraneous tests to be omitted. For example, performing certain vulnerability attacks on a function may be futile if the attack requires a string input but the function only accepts integers. By combining static and dynamic analysis, unnecessary tests may be omitted and the results of each analysis process correlated to identify actual vulnerabilities or falsely indicted vulnerabilities reported by one of the static or dynamic analysis component.